How to only use the remote introspection

Hi Team,

I’m trying to just use the remote introspection for OKTA.
I created a SPA application with PKCE. It only has the client id but no client secret.
When I configured the remote introspection inforamtion in the external authorization server, I don’t know which client secret should be input. If I leave it blank, the page doesn’t le me save.
So I just input another okta web app’s client secret.

but I alway got the error message as below:
“UnAuthorized application request”

If I remove the remote introspection information and input the local introspection information, I can get the correct result, no error “UnAuthorized application request”.

Any idea how to configure the correct remote introspection for okta SPA with PKCE?

Thanks & Regards,
Jason

Hi Jason,

Please take a look on this thread/article and it should help further with OKTA specific topic also:

http://techcommunity.softwareag.com/pwiki/-/wiki/Main/Securing%20APIs%20using%203rd%20party%20OAuth%202%20provider%20in%20API%20Gateway

HTH,
RMG

1 Like